SECURITY: Don't allow base_uri as embeddable host if none exist

This commit is contained in:
Robin Ward 2019-09-29 20:51:59 -04:00 committed by Régis Hanol
parent fd0bb34001
commit cd20d0fdfd
2 changed files with 5 additions and 1 deletions

View File

@ -44,7 +44,7 @@ class EmbeddableHost < ActiveRecord::Base
def self.url_allowed?(url) def self.url_allowed?(url)
# Work around IFRAME reload on WebKit where the referer will be set to the Forum URL # Work around IFRAME reload on WebKit where the referer will be set to the Forum URL
return true if url&.starts_with?(Discourse.base_url) return true if url&.starts_with?(Discourse.base_url) && EmbeddableHost.exists?
uri = begin uri = begin
URI(UrlHelper.escape_uri(url)) URI(UrlHelper.escape_uri(url))

View File

@ -65,6 +65,10 @@ describe EmbeddableHost do
end end
end end
it "doesn't allow forum own URL if no hosts exist" do
expect(EmbeddableHost.url_allowed?(Discourse.base_url)).to eq(false)
end
describe "url_allowed?" do describe "url_allowed?" do
fab!(:host) { Fabricate(:embeddable_host) } fab!(:host) { Fabricate(:embeddable_host) }